I took some time today to update my extremely old OBSD firewall at home from 3.0 to 3.3
I wanted to use all the new pf features. The following is what I came up with. Anyone done this yet?

[code:1:579742dfab]
# Macros: define common values, so they can be referenced and changed easily.

ext_if="xl0" # replace with actual external interface name i.e., dc0
int_if="xl1" # replace with actual internal interface name i.e., dc1
internal_net="10.26.1.0/24"
sshhost="any"
NoRouteIP="{ 127.0.0.1/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"

# Options: tune the behavior of pf, default values are given.

set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization aggressive
set block-policy drop
set require-order yes

#Normalization: reassemble fragments and resolve or reduce traffic #ambiguities.

scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id max-mss 1440

#Queueing: rule-based bandwidth control.

altq on $ext_if priq bandwidth 256Kb queue \
{ www_out, ssh_out, dns_out, ftp_out, std_out, tcp_ack_out }

#Parameters for the Child outgoing Queues
#www_out - Outgoing www requests
#ssh_out - Outgoing ssh connections
#dns_out - Outgoing dns requests
#ftp_out - Outgoing ftp requests
#std_out - The standard queue all other traffic

queue tcp_ack_out priority 6 priq(red)
queue www_out priority 5 priq(red)
queue dns_out priority 4 priq(red)
queue ssh_out priority 3 priq(red)
queue ftp_out priority 2 priq(red)
queue std_out priq(red default)

altq on $int_if priq bandwidth 2Mb queue \
{ www_in, ssh_in, dns_in, ftp_in, std_in }

#Parameters for the Child incoming Queues
#www_in - incoming www traffic
#ssh_in - incoming ssh traffic
#dns_in - incoming dns traffic
#ftp_in - incoming ftp traffic
#std_in - standard queue for all other traffic

queue www_in priority 5 priq(red)
queue dns_in priority 4 priq(red)
queue ssh_in priority 3 priq(red)
queue ftp_in priority 2 priq(red)
queue std_in priq(red default)

#NAT to the internal network

nat on $ext_if from $internal_net to any -> ($ext_if)

#Don't allow anyone to spoof unroutable addresses

block in quick on $ext_if from $NoRouteIP to any
block out quick on $ext_if from any to $NoRouteIP

#Block all ipopts to fool NMAP attempts

block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU

#Block in Everything by default

block in on $ext_if all

#Let outgoing traffic out and assign it to a queue

block out on $ext_if all

pass out on $ext_if inet proto tcp from any to any port { 80, 443 } flags \
S/SA modulate state queue (www_out, tcp_ack_out)

pass out on $ext_if inet proto udp from any to any port 53 keep state \
queue dns_out

pass out on $ext_if inet proto tcp from any to any port 22 flags S/SA \
modulate state queue (ssh_out, tcp_ack_out)

pass out on $ext_if inet proto tcp from any to any flags S/SA modulate \
state queue (std_out, tcp_ack_out)

pass out on $ext_if inet proto udp from any to any flags S/SA keep state \
queue std_out

pass out on $ext_if inet proto tcp from any to any port 21 flags S/SA \
modulate state queue (ftp_out, tcp_ack_out)

pass out on $ext_if inet proto icmp all keep state

#Let incoming traffic that needs to come in in and assign it to a queue.

pass in on $int_if from any to $internal_net

pass in on $int_if proto tcp from any port { 80, 443 } to $internal_net \
queue www_in

pass in on $int_if proto { tcp, udp } from any port 53 to $internal_net \
queue dns_in

pass in on $int_if proto tcp from any port 22 to $internal_net queue ssh_in

pass in on $int_if proto tcp from any to $internal_net queue std_in

pass in on $int_if proto tcp from any port 21 to $internal_net queue ftp_in
[/code:1:579742dfab]

I've noticed a significant improvement in performance over my cable modem with this ruleset. Obviously as this is my first attempt at an altq ruleset I'm interested to see how others are doing this.

I wanted to use all the new pf features. The following is what I came up with. Anyone done this yet?

You don't use tables, but i only see one place it would help: $NoRouteIP

[code:1:58ac286e97]
table <NoRouteIP> const { 127.0.0.1/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }
block in quick on $ext_if from <NoRouteIP> to any
block out quick on $ext_if from any to <NoRouteIP>
[/code:1:58ac286e97]

According to the pf.conf manpage a table is more efficient than a macro.
If you don't declare tables as const, you can also update tables on the fly from cmdline. Doesn't help you in this instance, but it is an easy way to block/pass without having to edit pf.conf (blocking spam hosts, attacks, etc) and tables are changeable even when securelevel 2 is used.

3.0 happens to be what i'm running on my firewall too. I've been planning to upgrade (but not on a Saturday night!) and will find your ruleset quite helpful.

Have you thought about using antispoof instead of NoRouteIP and manually setting antispoofing rules?

antispoof for ext_if inet
etc.

Yeah I thought about using tables for the NoRouteIP and I actually had it listed that way initially in the pf.conf, but when I went to load the ruleset no matter how many -v's Ispecified I couldn't see the table expand. A pfctl -sa didn't prove to be much help either. I do think I'm gonna use some tables on the mailserver for S.E. the FAQ goes over dynamically adding rules etc. That'll be very useful for spam.

After you upgrade let's compare rulesets. I'll be interested to see what you come up with.

One last thing. Saturday night. Come on man that's time well spent. You can't honestly tell me you've got something better to do than upgrade a fw. :lol:

If you do any scp/sftp then you might want to look at splitting your ssh traffic out. You can give ssh logins higher priority than file transfers using scp/sftp so they stay responsive while the transfers are going.

It's all at the PF faq for those who haven't seen it yet

http://www.openbsd.org/faq/pf/queueing.html

Strog I saw the ssh thing in the FAQ, I think you can do that with other services as well, however I think that CBQ (client based queueing) is the only ofrm that supports breaking down the services, since it calls for sub-queues to be used. I wentwith priq and red because it seemed like that would suit my needs a little better here at the house. That being said I could be wrong. I'm new to altq so I'm speaking with little to no authority on the subject.

Heres my current setup. For some reason, the line with the table BLACKHOLE does not want to display correctly in here, even though it shows up right when i try to edit this....... looks like the "<>" are making it invis, even though the NOROUTE one looks fine.


#macros
int_if = "dc0"
ext_if = "fxp0"
tcp_services = "{ 22, 113}"
icmp_types = "{ 8, 11 }"

#table section
#blackhole is for annoying worms, repeat scan/hack offenders.
#these can be added on the fly or by a cron job and simple script
table <NOROUTE> const { 127.0.0.1/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }
table <BLACKHOLE> persist file "/etc/blackhole"

#options
set optimization aggressive
set loginterface $ext_if

scrub in all fragment reassemble

#NAT &amp; RDR rules
nat on $ext_if from $int_if:network to any -&gt; ($ext_if)

#Default Deny ALL
block log all

#pass loopback traffic
pass quick on lo0 all

#Block 127.0.0.1 and rfc1918 traffic
block in quick on $ext_if from &lt;NOROUTE&gt; to any
block out quick on $ext_if from any to &lt;NOROUTE&gt;

#block morons in blackhole list
block in quick on $ext_if from <BLACKHOLE> to any

#pass rules
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state

btw, the new tables are awesome. Ran a quick script looking for people scanning for trojans and already added 3 ips to the blackhole list =P Looks like kuang2 is the big winner for today on port 17300.


# pfctl -t BLACKHOLE -Tshow
68.37.248.229
68.40.248.131
195.158.129.207

btw, the new tables are awesome. Ran a quick script looking for people scanning for trojans and already added 3 ips to the blackhole list =P

Nice. I raised an eyebrow when I saw the dynamic capabilities for tables when reading the FAQ. I used to have a really ugly kludge to add in code red blocks to my pf rules and I always thought "damn... there's gotta be a better way than this". :lol:

Aren't you still manually adding these from your snort logs, BSDjunkie?

or are you doing it dynamically now?

dynamically. good example here:

http://marc.theaimsgroup.com/?l=openbsd-pf&m=104540589312892&w=2

Edited my ruleset above.

Things Changed:

1. Rule Based Priorities were backwards. The higher the # the higher the priority.

2. Changed the xl1 pass rule to pass in, instead of pass out. DOH!

3. Added a scrub out rule which among other things helps avoid NAT detection.

4. Cleaned up the ruleset in general so it's easier on the eyes to read.

I'm sure I'll be changing it quite a few more times. This thread is a definate work in progress.

Question:

Who can explain the differences between red rio and ecn and which one is better. The FAQ covers this but does not go into enough detail for me to decide which one is best. I have a feeling rio is better than red but I have no facts to back this up.

Junkie -

The only problem I see with auto adding block rules to your pf file is if someone runs an nmap scan and uses lots of decoys. You'll be blocking legit hosts then. Someone could use google or yahoo or your gateway or your own box. I suppose you could setup $HOME_NET in snort to prevent blocking your own IP or your gateway, but you might block other hosts legit hosts. If you dhcp though that might not be so easy.


Question is do you have a way around that? Would you like to share it?

I would never do anything like this on a production network because of cases like this, But as far as my home LAN is concerned, over 99% of all that traffic has NO reason knowing my network even exists. If I have to remove one address from the blackhole table every now and then, its as simple as
pfctl -t blackhole -Tdelete x.x.x.x

If it starts to happen often in a DOS attack against me, ill just disable the script. No big deal.... :D

good point

http://groups.google.com/groups?hl=en&amp;lr=&amp;ie=UTF-8&amp;group=bit.listserv.openbsd-pf&amp;safe=off&amp;selm=20030216142238.GC7270%40insomnia. benzedrine.cx&amp;rnum=3

Daniel Hartmeier outlines how he uses pf/tables to block bad web requests. Relevant excerpt:

It's worth noting that a client must
complete the TCP handshake to fetch a page and get logged in the web
server log, so spoofing source addresses is no threat to this setup.


You could probably work out similar methods for ftp, ssh. You will still be vulnerable to blocking people behind NAT due to one user's malicious acts.

Hello everyone. Well, I am finally getting time to update my openbsd firewall from 3.2 to 3.3. Im very excited and plan on taking advantage of a lot of options that the new PF offers in 3.3...

Now, I realize that there a lot of cool new things offered in 3.3, but some of them im not fully sure on how to use...I still have to fully go over the FAQ for this.

So far, this is what I have...(note, I read over elmore and bsdjunkies list and grabbed some ideas)

[code:1:8e901143a2]#OpenBSD 3.3 Updated PF Firewall Rules

#Macros: define common values, so they can be referenced and changed easily.

ext_if = &quot;ep0&quot;
int_if = &quot;dc0&quot;
internal_net=&quot;172.16.1.0/24&quot;

#BlackHole section...check and add IP's to my list

table &lt;NoRouteIP&gt; const { 127.0.0.1/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }
table persist file &quot;/etc/blackhole&quot;


# Options: tune the behavior of pf, default values are given.

set optimization normal
set block-policy return
set loginterface ep0

#Normalization

scrub in all

#NAT
nat on $ext_if from $int_if:network to any -&gt; ($ext_if)

#Default Deny ALL
block in all

#pass loopback traffic
pass quick on lo0 all

#Block 127.0.0.1 and rfc1918 traffic
block in quick on $ext_if from &lt;NOROUTE&gt; to any
block out quick on $ext_if from any to &lt;NOROUTE&gt;

#block blackhole list
block in quick on $ext_if from to any

#Pass out LAN Traffic
pass out on $extif from any to any keep state[/code:1:8e901143a2]

This is a lot of what I took from 3.2, but as I said, still need to read over the FAQ and man pages.

Any thoughts so far?

Tarballed

After quickly reading through the PF FAQ, there are a lot of nice new little features that sound very interesting. I'm very curious to try them out. ALTQ sounds pretty cool, and I like the use of tables. That could come in handy.

Anyone have a comment on my rules? Input? Suggestions? Flame? :)

I'm going to give it a go here this afternoon.

Tarballed

Alright. Got 3.3 up and running. I like it. I notice a difference already.

One question I have is on tables. I noticed this from bsdjunkie's script:

[code:1:daf3fcfc7e]table &lt;NOROUTE&gt; const { 127.0.0.1/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }

table persist file &quot;/etc/blackhole[/code:1:daf3fcfc7e]

I have played with tables a bit and like them. They seem to be very useful.

My question is: on the table persist file "/etc/blackhole" are those IP's automatically added, or do you add them on the file?

Reading through the FAQ, they have this:

[code:1:daf3fcfc7e]table &lt;goodguys&gt; { 192.0.2.0/24 }
table &lt;rfc1918&gt; const { 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8 }
table &lt;spammers&gt; persist

table &lt;spammers&gt; persist file &quot;/etc/spammers&quot;[/code:1:daf3fcfc7e]

So I guess I was a little confused on how to implement the persist file.

Can anyone explain that a bit more?

Tarballed

My question is: on the table persist file "/etc/blackhole" are those IP's automatically added, or do you add them on the file?


You create/modify/remove from the /etc/blackhole file.



So I guess I was a little confused on how to implement the persist file.

Can anyone explain that a bit more?


When you first load the pf ruleset, any files will be referenced and the table will be loaded with those rules. If you change the files referenced, you will need to manually load the new tables.

For example, after changing the /etc/blackhole file, run this:
pfctl -t spammers -T replace -f /etc/blackhole

As long as a table isn't marked const, you can change it without reloading all the pf rules. You can do this with:
pfctl -t [tablename] -T [command]

Read throught pfctl manpage for what [command] can be and for more options.

I think I understand it. It will take some playing with and some reading, but I think I have the basics of it...I was also wondering if it was possible to actually have IP addresses automatically assigned to a "blackhole" list if they attempted any funny stuff. :)

Also, here are my rules that I set up for 3.3...just wanted to get it up and running for the most part. I plan on adding more as I go...I wanted to get some feedback here:

[code:1:3d2d0ae492]#My macros
ext_if = &quot;ep0&quot;
int_if = &quot;dc0&quot;
internal_net = &quot;172.16.1.1/16&quot;

#Blackhole section

table &lt;noroute&gt; const { 127.0.0.1/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }
table &lt;blackhole&gt; persist file &quot;/etc/blackhole&quot;

#Options

set optimization normal
set block-policy drop
set loginterface $ext_if

#normalization

scrub in all

#Nat
nat on $ext_if from $internal_net to any -&gt; ($ext_if)

#Default deny
block in on $ext_if all

#Pass loopback
pass quick on lo0 all

#Default block

block in quick on $ext_if from &lt;noroute&gt; to any
block out quick on $ext_if from any to &lt;noroute&gt;
block in quick on $ext_if from &lt;Blackhole&gt; to any

block in quick on $ext_if from any to any

#Pass out rules

pass out on $ext_if proto { tcp, udp } all keep state[/code:1:3d2d0ae492]

Tarballed

bsdjunkie posted a url with and example on the first page of this thread.